NEW YORK—Retired Gen. Michael Hayden, a former National Security Agency director, had a gloomy message for corporate IT security managers: You are on your own in the cyber-security war.
That was one conclusion from a provocative talk by Hayden at a customer event held by security vendor Centrify here May 11.
“Your government is and will remain late to need in providing security in the cyber domain,” he said. “You are going to be more responsible for your security [there] than you have been responsible for your security [in the physical realm] since the closing of the American frontier in 1880 or 1890.”
Hayden said cyber-security is not just a U.S. government problem: “Government is too slow to operate up here—all governments, and now we Americans have this additional built-in caution to protect our privacy against government intrusion.”
Government should be able to handle certain types of cyber-threats, he said, attacks that threaten loss of life, destruction of property or lasting economic damage. But that’s a very small percentage of actual attacks. For the rest, we are on our own. “Even the Secretary of Defense is telling you the next sound you hear is not the digital bugle of the digital cavalry coming over the ridge to save the day.”
Some of Hayden’s most interesting comments were about the U.S. government’s role in ongoing cyber-espionage. “What nation-states conduct cyber espionage? All of them. What state is the very best at conducting cyber-espionage? We’re number one. We really are. We’re really good. That doesn’t mean we are like the others … because your espionage services steal other things in this [cyber] domain to keep you free and keep you safe. Your espionage services don’t steal to make you rich.”
Hayden, a former four-star general in the U.S. Air Force, is the only person ever to hold the position of NSA director under Presidents Clinton and Bush from 1999 to 2005 and the Central Intelligence Agency under Bush from 2006 to 2009. He was on duty as NSA director on Sept. 11, 2001, and has had a front-row seat to all of the major cyber-security incidents of the past 15 years.
Now serving as a consultant, Hayden said we are in a new “domain,” the cyber domain, of national defense postures, and it has flipped the government’s usual national security role on its head.
He discussed the power of Stuxnet as a cyber-attack tool, but didn’t point any fingers at the perpetrators, slyly saying: “I don’t know nothing about no Stuxnet.” He was less circumspect about the attack on the U.S. Office of Personnel Management last year. “My and 21.5 million other portfolios were stolen by—I’m here to tell you it was the Chinese—even though our government won’t say it was the Chinese.”
But, he said, this is not shame on China. It’s shame on us for not being prepared—or for not doing the same thing.
Gen. Hayden: Private Sector Must Lead Fight Against Cyber-Threats
What then is to be done about cyber-security? Despite constant bombardment from the outside, real threats lay inside our networks, which is where Centrify’s identity management and authentication tools come in.
But as Hayden joked, he knows something about insider threats. Edward Snowden, whom Hayden called “Voldemort,” leaked NSA documents a few years after Hayden left the agency. “The new danger of the cyber domain is not just the empowerment of these bad actors. It’s the ability of the outsider to become the insider, the ability of the outsider to assume the persona of the insider,” he said.
This leads the discussion back to the private sector, including companies such as Centrify and FireEye, which the government is seeking guidance from. “With the exception of a thin slice of things that only the government can deal with, the main body for American cyber-defense is the private sector. I tell my friends still in government, get over it.”
He said the role of the private sector became clear in the case of Apple, about which he said the government had the wrong idea before they decided to buy the hack to open the iPhone 5C used by terrorist in a December 2015 mass murder in San Bernardino, Calif.
“If you accept the premise that we are going to sink or swim, based upon the performance of the private sector, and the private sector has now developed what appears to be pretty good encryption, why would you demand that they do something that everyone agrees, even in a perfect world, would in some measure reduce the security of that?”
It’s a new world, one we haven’t even been able to describe. Of the massive data breach resulting from the hack of Sony Pictures Entertainment’s network disclosed in November 2014, he said, “President Obama described it as an act of vandalism. But it was much worse than that. He should have called it … if you’ve got a good word let me know. … We have not yet gotten the big concept squared. We have not yet figured the real no-fooling definitions.”
For now, let’s just call it cyber-warfare.
Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. He has an extensive background in the technology field. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise. While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.